Listen to this Post

Introduction:
Bring Your Own Vulnerable Driver (BYOVD) attacks have become a silent epidemic in kernel‑level defense evasion. By abusing legitimately signed but vulnerable drivers from vendors like Intel, ASUS, and Corsair, threat actors disable EDRs, terminate protected processes, and elevate privileges—all while Windows trusts the code by default. The latest LOLDrivers update reveals that over 72% of known vulnerable driver samples are not covered by Microsoft’s official blocklist, leaving a massive blind spot for enterprises relying solely on default security controls.
Learning Objectives:
- Identify and enumerate vulnerable kernel drivers loaded on Windows systems using native tools and LOLDrivers data.
- Implement application control policies (WDAC) and HVCI to block known BYOVD‑capable drivers.
- Build a proactive threat hunting workflow using public blocklists and Sysmon telemetry to detect driver‑based privilege escalation.
You Should Know
- Understanding BYOVD & LOLDrivers – Why Signed Drivers Become Weapons
BYOVD attacks exploit a fundamental trust assumption: Windows loads any driver that carries a valid digital signature, even if the driver contains critical vulnerabilities (e.g., arbitrary MSR writes, physical memory read/write, or process termination IOCTLs). Attackers drop a vulnerable driver onto disk, load it via `sc.exe` or Win32 API, then send a malicious IOCTL to disable kernel callbacks, kill EDR processes, or grant SYSTEM privileges.
The LOLDrivers project (loldrivers.io) maintains a community‑curated database of such drivers. As of April 2026, it tracks 615 unique drivers across 2,121 known vulnerable samples. Key metrics from the latest dashboard:
– 460 samples (21.7%) load even with HVCI / Memory Integrity enabled.
– 1,523 samples (72.7%) are not covered by Microsoft’s recommended vulnerable driver blocklist (DriverSiPolicy.p7b).
– Only 573 samples overlap with Microsoft’s block rules.
This gap means that most BYOVD attacks succeed out‑of‑the‑box on fully patched Windows 10/11 systems.
- Detecting Vulnerable Drivers on Your System – Step‑by‑Step
Use the following commands to enumerate loaded drivers and cross‑reference them with the LOLDrivers dataset.
Step 1: List all loaded drivers with their signatures (Windows PowerShell as Administrator):
Export loaded drivers with details
driverquery.exe /v /fo csv > drivers.csv
Use Get-WinUserLanguageList for better formatting, or directly:
Get-WinSystemLocale | Out-Null
Get-CimInstance Win32_SystemDriver | Where-Object {$_.State -eq 'Running'} | Select-Object Name, DisplayName, PathName, Started, StartMode
Verify digital signatures of each driver file
Get-ChildItem C:\Windows\System32\drivers.sys | ForEach-Object {
Get-AuthenticodeSignature -FilePath $_.FullName | Select-Object Path, SignerCertificate, Status
}
Step 2: Check a specific driver against LOLDrivers
Download the LOLDrivers JSON or CSV from loldrivers.io. Then compare hashes or filenames:
$LOLDrivers = Invoke-RestMethod -Uri "https://www.loldrivers.io/api/drivers.json"
$LoadedDrivers = Get-CimInstance Win32_SystemDriver | Where-Object {$_.State -eq 'Running'}
foreach ($drv in $LoadedDrivers) {
$driverFile = $drv.PathName -replace "\SystemRoot\", "$env:SystemRoot\"
if (Test-Path $driverFile) {
$hash = (Get-FileHash -Path $driverFile -Algorithm SHA256).Hash
if ($LOLDrivers.hash -contains $hash) {
Write-Warning "VULNERABLE DRIVER LOADED: $($drv.Name) -> $hash"
}
}
}
Step 3: Hunt for known BYOVD binaries using Sysinternals sigcheck:
sigcheck64.exe -e -s C:\Windows\System32\drivers > driver_verify.txt findstr /i "throttlestop dsark64 corsair asio" driver_verify.txt
ThrottleStop.sys (used by Akira ransomware) and DsArk64.sys (Microsoft‑signed, kills PPL processes with a 4‑byte IOCTL) are two high‑priority indicators.
- Hardening Windows Kernel Security – HVCI & WDAC Step‑by‑Step
Enable Hypervisor‑protected Code Integrity (HVCI) – also called Memory Integrity:
1. Open Windows Security → Device Security → Core Isolation.
2. Turn on Memory Integrity (reboot required).
3. Verify from PowerShell:
Get-ComputerInfo -Property "DeviceGuard" Look for "DeviceGuardHypervisorEnforcedCodeIntegrity" = True
Create a WDAC policy to block LOLDrivers using Microsoft’s recommended blocklist + custom entries:
Install the WDAC policy tools (if missing)
Add-WindowsCapability -Online -Name "WDACPolicyManager~~~~0.0.1.0"
Merge Microsoft’s vulnerable driver blocklist
$BasePolicy = "C:\Windows\System32\CodeIntegrity\CiPolicies\Active{GUID}.cip"
Download updated blocklist from https://aka.ms/vulnerabledriverblocklist
Merge-CIPolicy -OutputFilePath "C:\WDAC\CustomBlockPolicy.xml" -PolicyPaths $BasePolicy
Add custom hash rules from LOLDrivers (using a CSV export)
$LOLHashList = Import-Csv "loldrivers_hashes.csv"
foreach ($row in $LOLHashList) {
New-CIPolicyRule -DriverFilePath $null -Hash $row.SHA256 -Deny | Add-CIPolicyRule -PolicyPath "C:\WDAC\CustomBlockPolicy.xml"
}
Convert to binary and deploy
ConvertFrom-CIPolicy -XmlFilePath "C:\WDAC\CustomBlockPolicy.xml" -BinaryFilePath "C:\WDAC\CustomBlockPolicy.bin"
Copy-Item "C:\WDAC\CustomBlockPolicy.bin" "C:\Windows\System32\CodeIntegrity\CiPolicies\Active\"
RefreshPolicy.exe
Test the policy – attempt to load a known vulnerable driver (in isolated lab only):
sc.exe create MyVulnDrv binPath= C:\test\bad_driver.sys type= kernel sc.exe start MyVulnDrv Should fail with error 577: Windows cannot verify the digital signature.
- Monitoring BYOVD Attacks with Sysmon and Event Logs
Install Sysmon with a configuration that logs driver loads:
<!-- Sysmon config snippet for driver load events (Event ID 6) --> <Sysmon> <EventFiltering> <DriverLoad onmatch="include"> <Image condition="contains">\drivers\</Image> </DriverLoad> </EventFiltering> </Sysmon>
Install: `sysmon64.exe -accepteula -i sysmon_config.xml`
Create a detection rule for known malicious IOCTLs (example for DsArk64.sys termination of protected processes):
Monitor for 4-byte IOCTL 0x80002010 to \Device\DsArkDevice
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Sysmon/Operational'; ID=6} | Where-Object {
$<em>.Message -match "DsArk64.sys" -and $</em>.Message -match "IOCTL"
}
Correlate with EDR telemetry – most modern EDRs do not hook driver load at the kernel level; use Sysmon + Windows Defender for Endpoint’s block mode on WDAC.
5. Incident Response: Unloading & Removing Malicious Drivers
If a BYOVD driver is already loaded:
- Terminate the attacking process that loaded the driver (often a dropper with
SeLoadDriverPrivilege).
2. Stop and delete the driver service:
sc stop VulnDriverName sc delete VulnDriverName
3. Unload the driver forcefully (requires PPL bypass or kernel debugger) – safer to reboot into safe mode and delete the `.sys` file from C:\Windows\System32\drivers\.
4. Check for persisted kernel callbacks using `WinObj` or `Autoruns` for legacy driver registrations.
Recover by restoring a known‑good image if the attacker disabled HVCI or patched kernel structures.
6. Linux Parallel: Kernel Module Signing & Mitigations
While BYOVD is Windows‑specific, Linux faces similar risks with unsigned kernel modules (DKOM attacks). Mitigate with:
– UEFI Secure Boot + module signature enforcement (CONFIG_MODULE_SIG_FORCE).
– Lockdown LSM (lockdown=integrity) to block module loading after init.
– Check loaded modules:
lsmod | grep -v "^Module" modinfo <module_name> | grep sig_hash verify signature
Use `chkrootkit` or `rkhunter` to detect hidden kernel modules.
What Undercode Say
- The LOLDrivers gap is not an oversight – it’s a systemic trust failure. Microsoft’s blocklist covers only 27% of known vulnerable drivers, leaving defenders to build their own blocklists. This shifts the burden to security teams who often lack the tooling to manage dynamic driver block policies.
- Proactive WDAC + HVCI deployment is no longer optional. Given that 21% of vulnerable drivers load even with Memory Integrity enabled, a layered approach (HVCI + custom WDAC + Sysmon + EDR) is required. Organizations that rely solely on default Windows security will be breached via BYOVD in 2026.
Analysis: The rise of LOLDrivers – from 12 merged PRs and 90+ new entries in one month – shows the attacker community is actively mining signed drivers for zero‑day IOCTLs. Defenders must automate blocklist updates using CI/CD pipelines (e.g., pull LOLDrivers API daily, rebuild WDAC policy, redeploy via Intune). The ESET March 2026 report on 54 EDR killers confirms that ransomware groups now treat BYOVD as a standard kill chain step.
Prediction
By 2027, Microsoft will likely integrate a dynamic, cloud‑based vulnerable driver blocklist into Defender for Endpoint, similar to SmartScreen for drivers. However, until then, BYOVD will remain a primary vector for privilege escalation and EDR evasion. Expect to see vulnerable drivers targeting virtualization‑based security (VBS) directly – bypassing HVCI by abusing hypervisor‑to‑hardware interfaces. The LOLDrivers project will become a mandatory feed for every SOC, and WDAC‑as‑code will replace static allow/deny lists in mature Windows environments.
▶️ Related Video (76% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Https: – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


